diff options
author | John Johansen <john.johansen@canonical.com> | 2014-10-24 09:16:14 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2016-07-12 08:43:10 -0700 |
commit | 6059f71f1e94486a51cef90e872add11fa7b5775 (patch) | |
tree | ab2c3f7e887584e678843347030f35aab7828074 /security/apparmor/Kconfig | |
parent | bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 (diff) | |
download | linux-6059f71f1e94486a51cef90e872add11fa7b5775.tar.bz2 |
apparmor: add parameter to control whether policy hashing is used
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/Kconfig')
-rw-r--r-- | security/apparmor/Kconfig | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index 232469baa94f..be5e9414a295 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -31,13 +31,26 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE If you are unsure how to answer this question, answer 1. config SECURITY_APPARMOR_HASH - bool "SHA1 hash of loaded profiles" + bool "Enable introspection of sha1 hashes for loaded profiles" depends on SECURITY_APPARMOR select CRYPTO select CRYPTO_SHA1 default y help - This option selects whether sha1 hashing is done against loaded - profiles and exported for inspection to user space via the apparmor - filesystem. + This option selects whether introspection of loaded policy + is available to userspace via the apparmor filesystem. + +config SECURITY_APPARMOR_HASH_DEFAULT + bool "Enable policy hash introspection by default" + depends on SECURITY_APPARMOR_HASH + default y + + help + This option selects whether sha1 hashing of loaded policy + is enabled by default. The generation of sha1 hashes for + loaded policy provide system administrators a quick way + to verify that policy in the kernel matches what is expected, + however it can slow down policy load on some devices. In + these cases policy hashing can be disabled by default and + enabled only if needed. |